It appears there’s now another tool in the arsenal for those looking at implementing BeyondCorp style security model, with the arrival of OIDC authentication support in AWS’s application load balancer. It adds to a growing list of possiblities, at least for HTTP-based services. Who needs VPN anyway?
The options I’m aware of now include:
- Bitly’s oAuth2 proxy – a simple open source reverse proxy with OAuth support, written in Go
- Amazon Application load balancer – will allow you to offload authentication to a seperate IdP, and then passes claims via HTTP headers to the proxied application.
- Google Identity-aware proxy – though this only works if the services you are securing live within the Google cloud
- Azure AD application proxy – Microsoft’s answer to the zero-trust model, with a lightweight proxy that sits within your internal network enabling outbound connectivity to the proxy rather than inbound.
- CloudFlare access – hosted reverse-proxy with support for major identity providers like Azure AD and Okta
- ScaleFT – commercial zero-trust platform for securing HTTP based web and SSH based server access, with a high entry cost (starts at $500/month)
- Pritunl Zero – a freemium SaaS service offering HTTP and SSH based proxying.
Any others I’m missing? Would love to hear of folks experiences of these.